On Fri, 2010-01-22 at 09:43 +0100, Mij wrote:
Dear syslog-ng folks,
I am the maintainer of sshguard, see http://www.sshguard.net . Sshguard can be interfaced with syslog-ng. Multiple users of syslog-ng recently reported that switching to 3.x required a configuration change for preserving the original logging format, see
https://sourceforge.net/mailarchive/forum.php?thread_name=EE040D72-0185-41EB... https://sourceforge.net/mailarchive/forum.php?thread_name=DA2160C1-09A0-475D...
We reflected the reports by updating the setup docs to contain a block for the 2.x version and one for 3.x , see
http://www.sshguard.net/docs/setup/getlogs/syslog-ng/
However, this change is not apparent in your documentation or changelogs, and other users reported that with even more recent versions, the "old format" is again the correct one.
syslog-ng can operate in both 2.x compatible mode and 3.x compatible mode. The '@version' header in the syslog-ng configuration file controls which one is used. If someone has no version header, syslog-ng assumes it wants syslog-ng 2.x compatibility. There was no macro related changes in the 3.0 series and still the format with the MSGHDR is the correct one.
Can you clarify what is the intended template for producing entry tags of the classic format "Jan 21 12:54:09 examplehost proftpd[18965]: applmsg" in the different versions?
Can you show the user posting that states MSGHDR is the wrong approach to do? I might be able to help troubleshooting it. -- Bazsi